Hello,
In the C# security analysis suite, the query Denial of Service from comparison of user input against expensive regex (cs/redos) relies heavily on underlying helper logic to flag regular expressions with potential exponential behavior. Specifically, in csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll (lines 58–72). This uses a set of hardcoded regular expressions via regexpMatch to identify string literals that represent exponential (ReDoS-vulnerable) regular expressions.
While these three variations catch patterns like ([a-z]+.)+, they are fragile syntactic approximations. This approach misses variations of overlapping or nested quantifiers, creating a scenario where dangerous regex structures easily bypass the query's detection due to minor structural variations.
For example the query overlooks risky patterns like these:
- Nested Quantifiers without literals:
(a*)*b or (x+)*
- Overlapping Alternations/Sequences:
(x+x+)+y
- Complex or Distant Structural Paths: Patterns that contain non-trivial prefixes/suffixes or specific character class structures can fail to match the strict capture-group structures defined in the QL code. Depending on the engine evaluating these meta-regexes, they could themselves face performance degradation when scanning highly complex, non-matching input paths.
This issue stood out because these specific pattern variants can easily slip through the ReDoS query undetected. This creates a gap between the security results and the actual risk. I'm wondering if it would be possible address this in a future version?
Version: 2.26.0
Hello,
In the C# security analysis suite, the query
Denial of Service from comparison of user input against expensive regex(cs/redos) relies heavily on underlying helper logic to flag regular expressions with potential exponential behavior. Specifically, incsharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll(lines 58–72). This uses a set of hardcoded regular expressions viaregexpMatchto identify string literals that represent exponential (ReDoS-vulnerable) regular expressions.While these three variations catch patterns like
([a-z]+.)+, they are fragile syntactic approximations. This approach misses variations of overlapping or nested quantifiers, creating a scenario where dangerous regex structures easily bypass the query's detection due to minor structural variations.For example the query overlooks risky patterns like these:
(a*)*b or (x+)*(x+x+)+yThis issue stood out because these specific pattern variants can easily slip through the ReDoS query undetected. This creates a gap between the security results and the actual risk. I'm wondering if it would be possible address this in a future version?
Version: 2.26.0